Do you want to know a secret? Take a look at the most popular financial apps
Financial apps access valuable and sensitive personal data, so you’d think mobile app security would be top of mind for financial institutions. But is it?
In early 2023, Approov Mobile Threat Lab published the results of an automated scan of the top 200 financial apps for downloads in four countries – the US, the UK, France and Germany. The full report can be downloaded here. Of course, there are thousands of financial apps installed in every country, but the 650 unique apps the team looked at cover millions of users and handle billions of dollars, euros, pounds, not to mention a huge number of cryptocurrencies.
The team investigated how well these applications hide secrets (“secrets” refers to sensitive information such as API keys, access tokens, usernames, passwords, encryption keys, and other credentials used to access back-end services and resources are used to authenticate and authorize access. ). These secrets are confidential and must be protected from unauthorized access, manipulation or disclosure. Some secrets are more useful to hackers than others, and the most useful of these secrets are API keys used by mobile apps.
Secrets can be stolen in many ways. They can be taken from containers, appear in application code, or be intercepted when an application is running. Hackers can use them to access APIs, steal data, and derail services. This research looked at what secrets can be extracted immediately and how well the applications are protected at runtime.
This blog briefly discusses the risks of exposing API keys and describes what types of keys the team found directly in the mobile app code. My next blog will look at how keys can be stolen at runtime and share with you what the team found about the runtime exposure of the applications we tested.
Mobile App Security and API Keys
Mobile apps are now critical to most businesses, and as previous research supported by Approov has confirmed (they often access dozens of APIs to do their jobs. Unfortunately, mobile app code can be audited, client environments can be manipulated—and APIs are the hacker’s become a target.
When applications use an API, they usually register and receive a key. This identifies the application to the backend API and authenticates the calling application so the API backend knows which application is making the request. This blocks all anonymous traffic and can be used to limit data requests.
It is sometimes argued that if the API requires valid user authentication tokens, then API keys do not actually need to be kept secret, as they only identify the application and are secondary to user authentication. However, if user logins are easy to obtain, anyone, including attackers, can register and access APIs with stolen keys.
What can go wrong when API keys are exposed? The risk depends on the capabilities of the specific API whose key has been compromised. Recent examples show significant data breaches through scripts using stolen API keys.
The myth of obfuscation
The team sought to evaluate what types of secrets could be extracted from the code using an automated static analysis using readily available tools. Secrets have appeared in almost all applications that access various backend APIs.
Despite many claims of improved cybersecurity awareness and better development and testing tools, most applications still hide secrets in their code. The scanners could see if obfuscation was applied to the code, but unfortunately they found that the obfuscation techniques had little effect on the number or type of secrets discovered and extracted. Uncertainty may deter hobbyists, but not serious hackers.
The secrets found were categorized as low, medium and high value. Although low-value secrets do not “impact services”, hackers can still access these types of APIs and publish incorrect and misleading data, undermining the quality of analytics or causing support teams to waste time on seemingly for finding widespread phantom defects.
High-value secrets are those we consider extremely dangerous if revealed. Some examples are private keys, keys for payment or transfer services, and keys that include “authentication” or “certificate”.
Source: approov.io
Conclusion
In summary, 92% of the most popular banking and financial services apps contained easily extracted API keys that could be used to attack APIs in scripts and bots and steal data. 23 percent of apps leaked highly sensitive secrets. These results are disappointing to say the least – we all use apps to manage our finances and we need to be able to trust our financial institutions.
The worst part about this is that there are better ways to protect your API keys so that they are never exposed to hackers. For example, API keys can be stored on a secure server and retrieved “just in time” by the mobile app at runtime. This way, the API keys are not hardcoded into the application and are not as easily accessible to attackers.
Download the full report to see detailed data by country, category, and detailed recommendations for better managing and protecting mobile app secrets. The full report can be downloaded here.
In my next blog, I will address the second aspect of the report’s findings: How exposed are these financial applications at runtime?
*** This is a Security Bloggers Network syndicated blog from Approov Blog, written by George McGregor. Read the original post here:
:quality(70)/cloudfront-us-east-1.images.arcpublishing.com/adn/5253HTE7EZH2NMXZJOC5GPB5O4.jpg "I just got dumped by my much younger girlfriend and it still stings")
![Streaming in Canada on Amazon Prime Video, Apple TV+, Crave, Disney+ and Netflix [Dec. 5-11]](https://www.veche.info/wp-content/uploads/2022/12/guillermo-del-toro-pinocchio-scaled-120x120.jpg "Streaming in Canada on Amazon Prime Video, Apple TV+, Crave, Disney+ and Netflix [Dec. 5-11]")
